Re: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS

Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 02 August 2021 13:04 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B151F3A1CB9 for <tls@ietfa.amsl.com>; Mon, 2 Aug 2021 06:04:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lC2yUVd7EBHq for <tls@ietfa.amsl.com>; Mon, 2 Aug 2021 06:04:25 -0700 (PDT)
Received: from au-smtp-delivery-117.mimecast.com (au-smtp-delivery-117.mimecast.com [180.189.28.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16FEF3A1B49 for <tls@ietf.org>; Mon, 2 Aug 2021 06:04:24 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01lp2173.outbound.protection.outlook.com [104.47.71.173]) (Using TLS) by relay.mimecast.com with ESMTP id au-mta-53-y34-2VxqOnaB1n-nYvC6Xg-1; Mon, 02 Aug 2021 23:04:21 +1000
X-MC-Unique: y34-2VxqOnaB1n-nYvC6Xg-1
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com (2603:10c6:10:10b::10) by SYBPR01MB5680.ausprd01.prod.outlook.com (2603:10c6:10:9f::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.20; Mon, 2 Aug 2021 13:04:13 +0000
Received: from SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::98a4:33de:1d06:e141]) by SY4PR01MB6251.ausprd01.prod.outlook.com ([fe80::98a4:33de:1d06:e141%3]) with mapi id 15.20.4373.026; Mon, 2 Aug 2021 13:04:13 +0000
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS
Thread-Index: AQHXhwkYJLk9aTn/K0aSqlQm6lYUaqtgL3su
Date: Mon, 2 Aug 2021 13:04:13 +0000
Message-ID: <SY4PR01MB625174541F326DAAEBF5C2CAEEEF9@SY4PR01MB6251.ausprd01.prod.outlook.com>
References: <SY4PR01MB625105EC510E42D398BE0467EEEE9@SY4PR01MB6251.ausprd01.prod.outlook.com> <CABiKAoR5U2i4izZmaWYyRXP5PbrAvRuQUAwAJTm+YbLBeO+T5g@mail.gmail.com>, <YQbxx3tLAr07Aus/@straasha.imrryr.org>
In-Reply-To: <YQbxx3tLAr07Aus/@straasha.imrryr.org>
Accept-Language: en-NZ, en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dcc787c1-e46f-48e8-a94b-08d955b606a9
x-ms-traffictypediagnostic: SYBPR01MB5680:
x-microsoft-antispam-prvs: <SYBPR01MB56804C7488A4A5FCE7BF227CEEEF9@SYBPR01MB5680.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: D4hMAe7aDv/k+3wlxTVVty2DAjjAfmXFQkPk15vcKX0W3p98t2ATu/RBvlvsQz+OjZAsj5XWgoPRCDYVgLdBmD7u4zlaU1bKLJEsCl2csids3sovcgeX2dO/z/PjA3OvWdkIVtRec6msx0T1lCrn3tyvCBbA589FzUd8iZedq3sOryxwdwPOhtOVrtic4nXArIA+U5yUgVWifbWahcSJMjzIU8VwuEmEFRktSJIQ23kMJY7gX1Vk2fprX31b1CiseEcVS+xcqN6zo2rOuBFlJv2LShjSYO8c4290o5ps/zeEzoeEVxlNu7KO2GkM3dB97rCmRfnCu+U3avNOAecYw60ITu+OkrGKjgWXzMVwhpGcD3BRCirZLwQLkl2l5IOuvM+Ps8RxNw8CX/6T1i4j5gpfwK658NmEQ2D0rKPyQza/TRKPYBXni9qjHpzcyOKmkHZDOd1TCRzv8TZT+aYWMPgz6M3skWtSb9XG5F+PI/fz+9rt5q+EEHyyVupvQqfOnZOpijD821RPML+G08O76wycHJWbdla2Uciw6KGHBR55TlS9eg9/OJnWayiv/M4866iAN+LfNilgU/xrbHGGPK4QFtLHZOA9ZHyXIKPVUYO2ibEIm5x5fsXB/UKOnN3/fPjB1Zu2gMgUpaG6piUDQKNLY+Cw2K4VoAqmvloBUJoeXnsZwrvRFWmXIv6KTnLx1oJWgtp8D5jxfMDfBpZcNxXMYpQXGgOO+n76WdLrYYQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SY4PR01MB6251.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(64756008)(2906002)(8676002)(5660300002)(66556008)(38070700005)(55016002)(66476007)(52536014)(76116006)(26005)(33656002)(316002)(786003)(7696005)(4744005)(66946007)(9686003)(86362001)(66446008)(38100700002)(83380400001)(71200400001)(122000001)(8936002)(186003)(6506007)(508600001)(491001); DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?92bPwCYyADl4DWCq7UF3duHi/uAXT0zwaOuZLxMEcExLDH7NBJqC4q1uuF?= =?iso-8859-1?Q?k6sD2LvJkox/GZx0GNPurghBPdvDMchFtYEc+vEXVg5s4vpPd7sVxEf3tF?= =?iso-8859-1?Q?ZYtObkKf6TR2b2vuwLqR8vWhUM27BYNv2YnccAp0MLmIOxShrE035AtUP+?= =?iso-8859-1?Q?jz95Yywc0gOJ+EXS/3xgjT6XR43qsdoJf+Q2WVFwZnqlMvwfECpHBNAaAB?= =?iso-8859-1?Q?8rSlaK+LvCGsnEmu1VlCVrVxLxL6jdMK+DBDM5nrkiF2FVgpEeUc2S/X5e?= =?iso-8859-1?Q?4FfE7Vvdviu/odtVyHG7KbCHpSIfBQvfiEvQZlMO6h/iGXScupzohTp9ia?= =?iso-8859-1?Q?7Qfl2Fr1edv+3bl09VCzcmDK895ZCoEtqT9LmClKGUPsHQEPiBiAcbW7Xr?= =?iso-8859-1?Q?NhJQjoTOHYVBuOMbr3YFLoOUqJLtniSvlhbJaJd3+SQiWvkby4wl1owLHK?= =?iso-8859-1?Q?rp6EtH30JqOs1RKRgYNtGjqIOQo5tJhHMWyrZe1U/B3fZvXqXd6o+cAjwc?= =?iso-8859-1?Q?f9XuApc90kB8qftpzEnvlcBmjxEhXZ0Mrwz5wWat7NeWSjpMviDHqHiAiA?= =?iso-8859-1?Q?krxd2r5cY7r8AqjwKH386KjMf1WWTj4c9qPNbBYcEpDyG6xFmSJ092x2bX?= =?iso-8859-1?Q?zl8GuwwGWz1Qw3tDs5csV1jqE80ljGnxBL0k8ZZAyyjs5b7867VjZPZp5L?= =?iso-8859-1?Q?QmM5tqqW1DzWiAleAvxtPkeRQw2Jp349xXsN1usceS0u2FeecZtDQD5/uh?= =?iso-8859-1?Q?piKIBwVpRJ69+qpjq/k7PweFk80WUwuiOk9yr6ffMnwIrLk8zF4v6xJ80B?= =?iso-8859-1?Q?woPEbxivGGJymwb4Ky1E7sA3vzQoknqsVkBQfMUv0T6G7YAUpBgw+Lhwum?= =?iso-8859-1?Q?rpKPrAGDTVtAATm/jtG743TlF3bhGvrqp5CprYQnOZqdzKcXYqsaUH3mLQ?= =?iso-8859-1?Q?sJU5mY9mrMi9RUyOmXEq6Am0n3ERCutm9Zdjud6uNl6/l0ox9tBT2GoSUK?= =?iso-8859-1?Q?GAcNaHxxOZmAGv3TQlJ/VRtw6kiev2LxSor3Z/da/T4vMCn7z5g1DcCvBA?= =?iso-8859-1?Q?gxJHR2kp3OjuGcnknR7xrjAUN4b2+WQDBvQsZhSH/2peOr8OR8KUyTeh7s?= =?iso-8859-1?Q?228xNZAdF2corRjfpihG3QvdzUKypbdr4m6zqGTULMKm/sFjsJ9Henl9g3?= =?iso-8859-1?Q?oDLtf3tAQA5L4RBfRCEzughK/2i6UQ42WYSnW3OBwWCmDsHw76QIIpmev8?= =?iso-8859-1?Q?Vxi0JHP7CibErulg+l9ohHDBLf5YEWSxw/ShKuPPvq1PFFjjmCUQSuPYiG?= =?iso-8859-1?Q?lgQE/WnzJ3JolD1DagovI010dZOvmaDTtUk1DTO94mrd++I=3D?=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: cs.auckland.ac.nz
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SY4PR01MB6251.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dcc787c1-e46f-48e8-a94b-08d955b606a9
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Aug 2021 13:04:13.1019 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: d1b36e95-0d50-42e9-958f-b63fa906beaa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OaKNKizdHsszfYisd6hd7rqvPdOKAW/x+vZgZ8xdkMCWRiHR+K/OhgOihUa83OTm89OSia4j5hzyahkJMDdIUpTfSy2ZTn3mhJgbW3cAHgg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYBPR01MB5680
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: cs.auckland.ac.nz
Content-Language: en-NZ
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9QThTkiMU2q8lRMiPlhiGV4ScS4>
Subject: Re: [TLS] Adoption call for Deprecating Obsolete Key Exchange Methods in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2021 13:04:30 -0000

Viktor Dukhovni <ietf-dane@dukhovni.org> writes:

>with confirmation from Peter Gutmann below that any custom groups we're
>likely to encounter are almost certainly safe

Well, I haven't examined every crypto library on the planet, it's not to say
there isn't something somewhere that implements its keygen as:

for i = 0 to 256
  dhprime[ i ] = rand();

but of the ones I'm aware of, when you ask for DLP parameters you get
something appropriate like Sophie Germain primes or FIPS 186 or equivalent,
e.g. Lim-Lee parameter generation.

>I don't see a realistic scenario in which sufficiently large ad-hoc server DH
>parameters are a problem.

+1.  Also if mentioning specific published values it'd be good to go with 3526
rather than 7919 due to the non-use of 7919 in implementations (unless there
are implementations using the 7919 primes while not implementing 7919 itself).

Peter.